ARTICLE 29 Data Protection Working Party 1613//06/EN WP 127 Opinion 9/2006 on the Implementation of Directive 2004/82/EC of the Council on the obligation of carriers to communicate advance passenger data Adopted on 27 th September 2006 This Working Party was set up under Article 29 of Directive 95/46/EC. It is an independent European advisory body on data protection and privacy. Its tasks are described in Article 30 of Directive 95/46/EC and Article 15 of Directive 2002/58/EC. The secretariat is provided by Directorate C (Civil Justice, Rights and Citizenship) of the European Commission, Directorate General Justice, Freedom and Security, B-1049 Brussels, Belgium, Office No LX-46 01/43. Website: http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm
THE WORKING PARTY ON THE PROTECTION OF INDIVIDUALS WITH REGARD TO THE PROCESSING OF PERSONAL DATA Set up by Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 having regard to Articles 29 and 30 (1)(a) and (3) of that Directive and 15 (3) of 2002/58/EC of the European Parliament and of the Council of 12 July 2002, having regard to its Rules of Procedure, and in particular Articles 12 and 14 thereof, has adopted the following Opinion I - Implementation of the Directive into National Law Need for Guidance On April 29, 2004 the Council adopted Directive 2004/82/EC on the obligation of air carriers to communicate advance passenger data on request to authorities in charge of controlling the external borders of the European Union. The Directive is complementary to the provisions of the Schengen Convention since the latter ones are also intended to curb migratory flows and combat illegal immigration The Directive had to be transposed by the Member States of the European Union into national law by September 5, 2006. The Article 29 Working Party notes that a number of Member States have not met this deadline and that national laws transposing the Directive are still under discussion. It is still not clear whether all Member States will have implemented the Directive by the end of 2006. Other Member States may have to decide on the practical measures they have to take for the implementation of the directive. It has to be pointed out that for the sake of air passengers and air carriers alike the Directive should be implemented as soon as possible in a uniform, harmonised manner, in order to avoid diverging regulations within the European Union. All persons concerned flying into the European Union should be treated in the same way and should enjoy the same rights. Situations where passengers are treated in different ways must be avoided. The Working Party is furthermore of the view that the provisions of the Directive should be interpreted and implemented in a privacy-consistent way, in full compliance with data protection principles as laid down in Directive 95/46/EC, by respecting data protection as a fundamental right to be enjoyed by all individuals throughout the European Union. Bearing this objective in mind, the Working Party has found it appropriate to adopt some interpretive and implementing guidelines that may be of help to Member States in transposing the Directive as well as in developing the operational mechanisms. The Article 29 Working Party is well aware of the growing importance attached worldwide to the use of API (Advance Passenger Information) data for checking passengers. It also recalls its view expressed earlier 1 that it is necessary for the middlelong term to develop a more consistent approach towards the exchange of passenger data to ensure air traffic security, the fight against illegal immigration, and respect for human rights on a global level. 1 Opinion 5/2006 on the ruling by the European Court of Justice of 30 May 2006 in Joined Cases C- 317/04 and C-318/04 on the transmission of Passenger Name Records to the United States, WP122, 14 June 2006-2-
II - Specific Data Protection Guidelines 1) Purpose Limitation 1a) Purposes of the Processing: The purpose of data collection is clearly indicated in Article 1, paragraph 1 of the Directive: to improve border controls and combat illegal immigration. To that end, the competent national authorities may receive from carriers the data set out in Article 3, paragraph 2, of the Directive. The Working Party recalls that, in implementing the Directive, compliance with the purpose limitation principle is paramount. Therefore, the purposes of the processing in question must be clearly set out in national legislation and limited to what is set out in the aforementioned article of the Directive. 1b) Derogation for law enforcement purposes : Art. 6, paragraph 1, last sentence of the Directive provides that, as a derogation from the aforementioned principle, data may also be used for law enforcement purposes in accordance with the national laws of the Member States and in line with data protection provisions under Directive 95/46. Directive 2004/82, however, does not define law enforcement purposes. The Working Party considers it necessary for Member States to apply this derogation restrictively by clearly setting out the specific cases in which the data at issue may be used in law enforcement cases. In particular, the Working Party understands that such use may only take place for the investigation of serious crime, in specific cases and in the presence of specific data protection safeguards to prevent any misuse of the data. This is indispensable to ensure that data protection rights are also guaranteed when the data are used by other authorities than those for which they are primarily intended. 1c) Only EU-Bound Flights: It has also to be mentioned that the Directive covers only flights bound for a EU Member State (see Article 3, paragraph 1) and that it does not give Member States the right to request air carriers to collect and transmit advance passenger data regarding flights within the European Union. 2) Scope of Data Collection: Data Minimisation, Relevance, Non-Excessiveness 2a) Data Categories under the Directive: The Directive clearly sets out the scope of the data that may be communicated by air carriers to the competent national authorities for the purposes mentioned above (Article 3, paragraph 2). Such data should be regarded as necessary and sufficient in the light of the purposes of the Directive (improvement of border controls and fight against illegal immigration). 2b) Additional Obligations and/or Data Categories, Including Biometric Data: Recital 8 in the Directive indicates the Member States may be entitled to provide for additional data categories to be communicated by carriers, on request. Recital 9 refers to the possible inclusion of biometric features in the information to be provided by carriers, also based on technological innovation ; in this connection, it has to be noted that the Directive does not give any definition of biometric features and leaves it up to the requesting authorities to outline which biometric features should be transferred and when the requesting authorities consider such a transfer to be technically feasible. According to the Working Party, the collection of additional data elements, including data regarding the return tickets as mentioned in Recital 8, would be excessive in relation to the purposes being sought; the use of biometric -3-
data would be even more worrisome in the absence of clear-cut specifications concerning the purposes for which they should be collected and processed and the biometric features regarded as both necessary and proportionate for those purposes (see considerations on the processing of biometric data as made in documents WP80, WP96, and WP112). 2c) International Context and Sector-Specific Standards: Member States should also consider the scope of the data to be transmitted by carriers in the light of international standards set out by the relevant bodies such as the International Civil Aviation Organisation (ICAO), the World Customs Organisation (WCO) and the International Air Transport Association (IATA). These bodies have developed clearcut definitions of API data in order to achieve harmonised standards and uniform practices. Such standards were re-affirmed recently also by the European Civil Aviation Conference, which adopted on 8 April 2006 a statement of principles for API systems that Member States are invited to take into account when introducing an API system. In particular, it is clearly stated that API data consist of data found in the machine readable zone of the travel document. The Guidelines recommend that API data should not exceed those data indicated in the Guidelines. The Working Party would like to point out that Member States would be in breach of Directive 95/46 if they demanded all passenger data contained in the passenger name records (PNR) or the departure control lists of air carriers, since both by far exceed the data mentioned in the Guidelines and in other relevant international standards; additionally, it should be stressed that PNR data are not necessary for the purpose of border control. 3) Retention of the Data The Working Party would like to underline that, as specified in the Directive, the data received by border control authorities may be kept for longer than 24 hours only if needed for the purposes of the statutory functions of such authorities. However, the Directive does not specify for how long these data may be kept if forwarded to law enforcement authorities as per the derogation envisaged in Article 6, paragraph 1. As an exception to the rule that data should not be retained for longer than 24 hours, retention for a longer period should only be applied in specific cases, for example when the identity of travellers cannot be established or passengers do not have correct travel documents. Member States should provide that the data be not kept for longer than is absolutely necessary with regard to these specific purposes. 4) Information to Data Subjects Article 6, paragraph 2, of the Directive requires air carriers to inform passengers in accordance with Directive 95/46/EC. The Article 29 Working Party recalls in this connection that it adopted Opinion 97 on September 30, 2004 - regarding the information for passengers concerning the transfer of PNR data on flights between the European Union and the United States of America - and Opinion 100 dated November 25, 2004 regarding more harmonised information provisions. Both versions can serve as models to inform passengers in a comprehensive and conspicuous way. Air carriers are called upon to harness both versions with a view to being in full compliance with their obligations according to Directive 95/46/EC. Member States are called upon to ensure that passengers are also informed of possible onward transfers of their data to law -4-
enforcement authorities for the specific purposes set out in national law, in accordance with as harmonised an approach as possible. III - Conclusion The Article 29 Working Party fully supports the objective of curbing illegal immigration by improving checks on EU-bound flights as set out in Council Directive 2004/82/EC. However, the Working Party is keen to ensure that the transposition of this Directive into national law takes place in as harmonised and consistent a manner as possible by taking account of the data protection principles enshrined in Directive 95/46/EC which are expressly left unprejudiced by the Council Directive in question. For the above reason, the Working Party set out some implementing and interpretive guidelines in this Opinion in order to prevent diverging approaches by Member States that might result from the lack of clear-cut indications in some provisions of the Directive in question. The Working Party calls upon the legislatures of Member States and all competent national authorities to take account of these guidelines in developing and applying national legislation transposing the Directive. Done in Brussels, on 27 th September 2006 For the Working Party The Chairman Peter SCHAAR -5-